world cyber security technology research summit · pdf filethe fourth world cyber security...

Belfast 2014: Briefing BRIEFING #BELFAST2014 REPORT

4TH WORLD CYBER SECURITY

TECHNOLOGY RESEARCH SUMMIT

BELFAST 2014

SECURING OUR DIGITAL TOMORROW

Belfast 2014: Report 2

ABOUT CSIT

The Centre for Secure Information Technologies (CSIT) at Queen’s University Belfast is

the UK’s Innovation and Knowledge Centre (IKC) for Secure Information Technologies

and a UK Academic Centre of Excellence in Cyber Security Research (ACE-CSR).

At CSIT we are building a global innovation hub for cyber security. Our annual Summit

is a rallying point for world leading researchers, policy makers and leaders from the

global cyber security industry to meet and share knowledge, insights and challenges

through open innovation in an environment which encourages information sharing and

frank discussions to take place.

ABOUT BELFAST 2014

The fourth World Cyber Security Technology Research Summit – Belfast 2014 – saw the event come full circle once again

as we sought to horizon scan the cyber security landscape and define research challenges which will form the basis of new

programmes here at The Centre for Secure Information Technologies (CSIT) and other world leading institutions in the

coming years. This year’s Summit was the biggest ever both in terms of numbers of attendees and also in terms of the

activity programme which saw two new parallel streams added in addition to the core “Cyber 100” stream familiar to many.

The new streams – PRECYSE and Techstars – added new dimensions in terms of supporting new cyber security start-ups

gain access to experienced industry veterans and funders as well as acting as an outlet for the PRECYSE consortium to

disseminate findings from their project and seek input from a broad spectrum of end-users.

Attendees pictured under The Rotunda at Belfast City Hall, location for the Summit Gala Dinner


EXECUTIVE SUMMARY

Belfast 2014 benefited from a new multi-stream format and was CSIT’s largest World Cyber Security Technology Research

Summit to date. The event theme of “Securing our Digital Tomorrow” enabled organisers to expand participation and

extend invites to some of the most promising cyber security entrepreneurs in this cluster to take part in the Techstars

stream where they benefited from the collective experience of leading industry, academic, venture capital and government

figures. Furthermore the PRECYSE stream enabled those with interests in cyber security for critical infrastructure to have a

deeper understanding of the scope, challenges and outcomes of this significant collaborative European project of which

CSIT is a partner.

At 13 the number of keynote speakers was significant and included high level government speakers from the US

Department of Homeland Security, UK GCHQ, UK Technology Strategy Board, Estonia’s Information Security Authority as

well as Korea’s Information Security Agency. Industry representatives came from Intel Corporation, Sophos, Facebook,

Techstars UK and Ireland’s BH Consulting. Finally academic input featured Hangyang University, Korea, Queen’s University

Belfast and The Royal College of Surgeons in Ireland.

People

A recurrent theme over the course of the two days was people. People are a significant weak link in the security chain both

in terms of threat actors and the demand for skilled cyber security professionals. In his keynote, Doug Maughan from DHS

said ‘With regard to threats in cyber security, the user is the weakest link and cyber criminals are people’. Jaan Priisalu

underlined that Estonia is undertaking cyber security but is hampered by its small population and a lack of people to

provide cyber security. Mary Aiken from RCSI proffered that the online disinhibition effect dictates that people do things

in the virtual world that they would not do in the real world. Mark Crosbie highlighted Facebook’s disruption of the malware

economy by making cyber-crime less valuable, e.g. it offers money for people finding Facebook security vulnerabilities.

Breakout sessions

Substantive output from the Summit included presentations on the top challenges, future technologies and practical steps

required by research organisations following two sets of four breakout sessions. Summaries of those sessions follow.

Secure Digital Assets

The topics of discussion focused on monetizing personal data, privacy protection, greater transparency from data

aggregators as well as the need for greater education for citizens in terms of how data sources can be linked to produce a

bigger picture of an individual. Finally technical solutions to the right to be forgotten problem were discussed.

Secure Digital Devices

Discussions focused on the theoretical security implications of two commodity digital devices, namely, a $30 smart TV

dongle and a $5 smart light bulb. This bounded the discussions in terms of user expectation of security at such a low price

point, who pays for security updates, device lifecycle and who is liable when things go wrong. They then progressed to

proposing new interoperability frameworks, automatic rating of devices on the fly connecting to home hubs, trust models

and rounded out by discussing educational opportunities for teaching citizens to manage their own critical infrastructure.

Secure Digital Citizens

Data ownership, profiting from citizen data and social inclusion featured prominently in these sessions. The groups touched

on the issue of data retention, and whether an individual has the right to be ‘forgotten’ or the choice to be invisible or

anonymous on the internet.

Blue Skies

In these sessions, privacy and trust, system resilience, liability for cyber-crime, technologies that enable new privacy models

(multiple personas etc) and self-healing networks and systems all featured. The opportunity for tailored trustworthy spaces

for various security specific contexts was also discussed.


OPENING ADDRESSES

PROFESSOR PATRICK JOHNSON, PRESIDENT AND VICE CHANCELLOR, QUEEN’S

UNIVERSITY BELFAST The Summit was opened by the Vice Chancellor and President of Queen's University, Belfast who welcomed guests and

delegates to CSIT, Queen's University of Belfast and the 4th World Cyber Security technology Research Summit. He

outlined the importance of the conference, referring to its international significance for innovation and excellence in cyber

security.

He explained that one of his tenets as the new Vice Chancellor will be to make Queen's University global, presenting

excellence and solutions for society. He indicated that CSIT had all of these hallmarks, providing a leading part in cyber

security worldwide, thinking in the field, encouraging dialogue and shaping issues

important to society - in only 5 years, CSIT had grown into a global innovation hub

in cyber security, having an excellent peer review standing.

Professor Johnson spoke of his recent role as Chair of the Cancer Bill of Rights in

Strasbourg, the rationale of which is to break down barriers, providing even cancer

care throughout Europe. This will only materialise if we have secure technology

and data transfer thus there is a great need for Institutes like CSIT. A key feature

of CSIT is open innovation, working at the boundary of knowledge with different

people to produce new technology, increasing collaboration between academics, governments and industry.

The skills gap and the need for graduates skilled in cybersecurity was discussed, with the Vice Chancellor stating his long

term commitment to CSIT's leadership in cyber security and contribution to education illustrated by the creation of a new

MSc in Cyber Security, and designed in part with industry. Cyber security presents problems and opportunities, working

together provides the best chance to meet these problems and by developing innovative solutions.

SIMON HAMILTON MLA, MINISTER OF FINANCE AND PERSONNEL Mr Hamilton commenced by saying how happy he was to be at the Summit and extended his warm welcome to all

academic, industry and government representatives. He appreciated how critical cyber security is in business and

government, and that the work of CSIT was crucial for tackling cyber security risks. In 2013 the UK market in cyber security

was £2.8 billion, this is predicted to grow to £9 billion by 2016.

CSIT and cyber security companies are meeting this demand, particularly with the CSIT open innovation model stimulating

collaboration between industry, government, SMEs, and hi-tech Foreign Direct Investment (FDI) companies in Northern

Ireland. The Summit is very worthwhile in this respect, providing a valuable opportunity for collaboration and discussion of

cyber-crime issues, and, with the addition of blue skies sessions, encouraging frank and open discussion leading to fresh

thinking.

Online commerce is a very important retail mode, particularly in the UK. It,

however, also attracts increasing levels of crime. The UK government is tackling

this in various ways: issuing a statement on cyber-crime, encouraging cyber

security information sharing in trusted environments, setting up a national crime

unit in cyber security and providing cyber security information to business. This

remains a work in progress, and to further this work, we turn to professionals like

you.

As Finance and Personnel Minister, Mr Hamilton, is responsible for IT security in

the NI civil service and the provision of resilient secure systems for NIDirect government to public communications. In this,

there is a need to reassure citizens of increased resilience to attack and secure data communications.


Cyber breaches worldwide are increasing and there remain threats, which are not always technical. It is vital to protect

information important to the viability of business and the field of cyber security is therefore key to mitigating such risks. Mr

Hamilton concluded by hoping that the attendees' time in Belfast proved interesting and rewarding, leading to new

insights, contacts and work, helping us to stay one step ahead in cyber security.

PROFESSOR JOHN MCCANNY, CSIT PRINCIPAL INVESTIGATOR Professor McCanny added his welcome to CSIT and the 4th Cyber Security Summit. He highlighted that the Summit attracts

many senior representatives from industry, government and academia and provides discussion on major cyber security

challenges and threats.

The Summit is consistent with the role taken by Queen's University in the NI

Science Park. From its creation in 2009, the purpose of CSIT is to be a UK Centre

for cyber security, accelerating the economic impact of new ideas and research to

deliver commercial and business impact. In CSIT research is juxtaposed with work

from business, understanding its challenges and needs and working new research

into proof of concept demonstrators to overcome the 'valley of death' for

innovations. The CSIT membership comprises both SMEs and large companies,

forming partnerships.

The contribution of the Royal Society was discussed, whose major policy action is delivering evidence, input and thoughts

on cyber security. In this year's Summit, there will be a stream encouraging the involvement of young entrepreneurs with

the welcome participation of venture capitalists, Techstars, Kernel and Amadeus. In addition, the PRECYSE Consortium

Summit stream tackles critical infrastructure threats.

The Summit 2014 aims to take a long term view of cyber security and threats, providing a summary of where we are now

and encouraging a global perspective on the future of cyber security research. Professor McCanny finished by thanking

the Delegates for their repeated support.


KEYNOTES

DR DOUGLAS MAUGHAN, US DEPARTMENT OF HOMELAND SECURITY The Threat Landscape – A U.S. Perspective. Presentation: http://bit.ly/1mZ4EeF

The first keynote presentation started by discussing the cyber security threat space, and the consideration of this from a

technical angle but also from a human angle, as humans are part of the threat, this needs more thinking. From a

Department of Homeland Security (DHS) perspective, as a large agency, it is concerned about globalisation, borders,

extremists, natural disasters. In cyber space, criminals, hackers, insider threats, the

use of malware etc. and social engineering, all define the threat landscape.

The consideration of the impact of people in cyber security is important. The

White House 2009 cyber space definition talks about equipment, but is missing

people. With regard to threats in cyber security, the user is the weakest link and

cyber criminals are people. As an example, phishing to compromise machines is

the primary threat vector for the DHS.

The speaker then presented his assessment of various top technical and policy

challenges in cyber security. In the USA, critical infrastructure (CI) is the principal cyber security challenge. 16 different

sectors of CI have been designated, the particular concern is loss of life, but financial and intellectual property losses are

also important. President Obama has issued an Executive Order and Presidential Policy Directive for CI cyber security,

proposing a model for industry and academia to secure CI in partnership with the private sector. The DHS works closely

with other bodies in this area and has been tasked to provide a national R&D plan in CI cyber security. In its dialogue with

CI owners, the attitude has been 'we do oil and gas, not cyber security', the CI owners are not used to doing CI security.

The most difficult problem is economics, how to get CI owners, SMEs, individuals, etc. to buy and use cyber security

technology, this needs education and awareness and incentivisation.

The next cyber security challenge discussed was the vulnerability of software, e.g. the US national healthcare platform is

riddled with software problems and there is generally a lack of healthcare software. Again economics is an issue, illustrated

by the large costs involved in producing quality software and also the costs of a lack of software quality. The significant

evolution of software in terms of increased lines of code and the evolution of software languages is also an issue. Looking

at these issues in terms of security has led to the DHS development of SWAMP, a globally-available software test and

evaluation platform and marketplace.

Mobile devices present a growing challenge in cyber security. The numbers of devices is predicted to double in 5 years.

The security of devices is a problem - all device types have been compromised. The security of software on mobile devices

is also a concern, along with security issues in apps, many of these store usernames and passwords and are vulnerable to

man-in-the-middle attacks.

The use of DDoS attacks to compromise machines and knock out infrastructure and companies is a further cyber security

challenge. Attacks have even been seen on 911 centres. The volume of traffic used in DDoS attacks is currently about 400

Gbits per second, but this is increasing rapidly, an increase to 4 Tbits per second could happen and current security

solutions cannot handle this. There is a need to develop new defences and tools for DDoS attacks, the best product is 15

years old.

Cyber physical systems, for example cars, medical devices, smart cities, drones, is another area where cyber security is

needed, as such systems have software that can be compromised. Systems are often designed without security in mind,

there is a need to work with companies producing cyber physical systems. The DHS has issued a recent solicitation for

research in cyber physical systems and CI.

An additional threat posed to cyber security is the security workforce shortage. Cisco report a shortage of more than 1

million security personnel and various other studies support this. The US Department of Defense requires more security


personnel and 8 other countries report the same problem. IBM is working with 200 universities to bridge the cyber security

skills gap. In the US, this is a national problem, and national initiatives on cyber security awareness and education have

been launched, along with programs in schools and evolving professions and competitions in cyber security to increase

hands on security experience.

Privacy and civil rights is a challenge in cyber security. It is important to conduct security R&D in a legal and ethical manner.

For example, in some circumstances there is a need to access cyber-attack infrastructure, e.g. botnets, to do research,

which raises consideration of legal and ethical issues. The Menlo report addresses the ethical principles guiding ICT

research, this has similarities with the Belmont report for human subject research.

In summary, cyber security must focus on the human / user issue and producing the next generation of security personnel.

Collaboration is essential, as this is a global issue with a need for emphasis on cyber security technology transfer.

CHRIS ENSOR, CESG Mobile on the Cyber ‘Frontline’.

CESG is the security arm of GCHQ and as such focus on this one area. In investigating the security of businesses, CESG

have found other matters e.g. the disclosure of IP of a business. CESG want to increase the awareness of cyber security

issues in business, they have produced Board level information on cyber security to enable the development of a cyber-

security risk posture. This has got good recognition and is still in use.

What needs to be protected? Medical, power, financial, IT, critical infrastructure

systems and information - all of these get compromised in the same way. Do we

have the skills to implement protection? Control of these systems is needed to

manage cyber security risks. Ceding control to Cloud services and WiFi operators

and to the actual owner of devices we use, increases cyber security risks, the need

for security and the difficulty in making services and information secure. There is

a need for the market to drive good security practices in e.g. the Cloud and WiFi.

We need to know the capabilities of who we are protecting against, these vary from any one as an attacker to a nation state.

Different attackers have different levels of expertise in cyber-attacks, this should be used to develop appropriate defences.

Very sophisticated attackers can and do also use the easy way in.

What do we need protection from? This could be, for example, attacks from outside a network, attacks from within the

network attacks using WiFi to access the network.

How to we protect ourselves? If, for example, we need protection against an attacker on the Internet, defences need to

be placed at the network / Internet access point. But the attacker can also target any devices that access the network, so

we need to rely on device users to manage security of their devices.

Present computer systems have a lot of bugs, although this issue is decreasing. The problem is the standard of warranties,

these do not provide any guarantee that software will work and we accept this. If we do not send bad software back it will

not be improved. We need to fix software to make an effect on cyber security and to create the security that we need.

Basic Cyber Hygiene - the basics to stop attacks. CESG have carried out analysis on some companies and discovered the

use of exploits such as software bugs, weak passwords, commodity hacking tools. The basic security requirements are

patch management, secure network configuration, firewalls and Internet gateways, access control, malware protection.

Business and large organisations say these are too hard, but if they do not implement them they are wide open. We need

to get UK organisations to do these 5 things well. This presents an opportunity for innovation, education and awareness,

to enable companies to do these security measures well.


DR CLAIRE VISHIK, INTEL CORPORATION UK Next generation of trusted technologies. Presentation: http://bit.ly/PU9dJE

The speaker started by expressing her optimism and hopefulness about developments in the

cyber security area, with new technology brings new opportunities but also threats. Intel have

new technology, between technology developments, user awareness, regulation updates.

These are all examples of positive matters in the cyber security area.

We currently experience composite security networks and as these networks become more

complicated, protection becomes less useful. Looking at security issues at a high level is the

way to go. The multi-disciplinary nature of cyber security attacks is important, attacks happen

for different reasons, only some of which are technical, other reasons include, for example,

socioeconomic issues. We need to understand all of these reasons to develop cyber security

strategies.

We live in an increasingly connected environment. The number of devices is increasing and these now participate in many

processes. This increasing complexity is generating a much increased volume of data. We also now have a different

architecture environment with the introduction of the Cloud. The interaction between different environments is increasing,

barriers to entry are decreasing. With this increased interconnectivity comes different attack vectors. New trust and security

problems are appearing, for example in supply chains, the Internet of Things, industrial systems, mobile devices. New trust

and security problems are also arising from new usage models, economic developments and geopolitical issues. The cyber

security threat environment has therefore become increasingly complex, moving to hardware and firmware. There is a

need for security experts that understand the current security environment and also the present socioeconomic influences

on security. For example, we have increased automation of computer systems in the home. This has advantages but

introduces new attacks with new consequences. New technology monitoring can allow criminals to identify houses to

attack, criminals can also remotely access devices in houses to gain access or damage property.

Trust evidence was then discussed. Research in improved trust anchors has shown that the current trust environment is not

adequate. There is a need for a composite systems view to increase trust. Mechanisms are necessary that produce, verify

and consume trust evidence among the components of the current ecosystem. Intel have tried to produce a trust

generalisation useful to many ecosystems, this has proved very difficult and requires a new definition of trust. The definition

of trusted computing has not changed since 2010. A trusted system behaves in an expected way under certain

circumstances, i.e. the trust is about future actions. Currently trust definitions emphasise identity, but this trust is Y/N, a

graduated approach to trust is needed with system usage adjusted accordingly. Developers need to know several things

to develop for every use case - the intent of other developers, regulatory requirements, future architects and use models.

There is a need to develop trust thinking, presenting a number of potential research topics, e.g. cross domain trust

definition development. The vision for the future includes making foundational features for security and privacy mandatory

and looking at innovative threat models. For this there is a need for a new generation of security professionals who are

multidisciplinary and a need to adopt new work processes e.g. part time involvement in several projects.

For users to understand devices, they need to know about various issues including security and privacy features of devices,

app and network ownership, software on their devices, security models used, what information they share. Approaches to

helping user awareness include making indications on devices to warn about their impact on security and privacy, enabling

security and privacy technology by default, and teaching technology in the right way to increase an understanding of

security and privacy.

What affects our thinking in cyber security? The global environment of cybersecurity creates a global overlay picture with

different lifestyles and living standards, cloud apps, and an international workforce. There is a perceived disconnect

between research and real life issues. An increase of awareness of cyber security could be achieved by an increase in real

life conferences and programmes for collaboration and public private partnerships. In an ideal situation, we would find a

way to pursue ecosystem and niche problems together, develop mechanisms for public private partnerships and

technology transfer and form agile responsive teams.


PROFESSOR MAIRE O'NEILL, QUB Cryptography in a Post Quantum Computing World. Presentation: http://bit.ly/1ed5l19

This presentation concerns Blue Skies research - cryptography in a post-quantum computing era. In traditional computing,

bits exist in one of two states, 0 or 1, and calculations are performed sequentially and one at a time. Quantum computing

involves qubits, which can exist in both states at one time, which allows quantum computers to perform multiple calculations

in parallel. Quantum algorithms are used to exploit this parallelism, such as Shor’s algorithm which allows factorisation of

numbers with exponential speed-up over traditional computers and Grover’s algorithm which searches unsorted databases

with quadratic speed-up. These algorithms has have demonstrated the potential of quantum computing.

However, some problems remain in quantum computing technology. Achieving large scale quantum computing is difficult

due to decoherence and it is difficult to verify if a system is in a quantum state or not. Also, the transmission distance of

quantum communications is limited.

In recent years there have been some major breakthroughs. The quantum

factorisation of 143 is now possible - this is the largest number yet to be factorised

into its primes by a quantum algorithm. The longest-distance quantum

teleportation in free space to date was achieved over 143km. This showed for the

first time the potential feasibility of transmitting quantum information between

satellites and ground stations. A quantum memory state was held stable at room

temperature for 39 minutes, which is 100 times longer than the previous record,

and although not long, is sufficient time to run over 20 million computations.

In 2011, D-Wave announced the first quantum computer. There is much debate as to whether this is a true quantum

machine, as it only shows a speed increase for certain calculations and it is difficult to verify if it is performing quantum

operations or not. In January 2014 it was revealed that the NSA are funding the development of a ‘cryptologically useful

quantum computer’ and their true capability in this area is unknown.

What happens when quantum computers do become a reality? Commonly used public-key cryptographic algorithms,

based on the integer factorisation and discrete log problems, such as RSA, ECC, DSA, etc., will be vulnerable to Shor’s

algorithm and will no longer be secure. It appears that symmetric algorithms will be secure against quantum computers

(and Grover’s algorithm) by simply increasing the associated key sizes.

However, there is an alternative form of public-key cryptography that can be used, namely post quantum cryptography.

Post quantum cryptographic algorithms refer to conventional non-quantum cryptographic algorithms that are secure today

and will remain secure even after practical quantum computing is a reality. The main types of post quantum cryptography

are code-based cryptography, hash-based cryptography, multivariate quadratic cryptography and lattice-based

cryptography. While code-based cryptography is the most mature post quantum technique, recent advances in lattice-

based cryptography have made it much more practical and it can be used to create cryptographic constructions beyond

public-key encryption, such as, identity-based and homomorphic encryption.

Many challenges remain in the area of post-quantum cryptography. Further security analysis of post-quantum cryptography

algorithms is needed. The selection of suitable parameters to guarantee both security and efficiently is still an open research

problem. Optimal and practical PQ algorithm implementations need to be investigated as does the resistance of these to

physical/side-channel leakages.

CSIT is carrying out research into accelerating the main underlying primitives involved in lattice-based cryptography and

homomorphic encryption. Recent research that utilises an improved low hamming weight multiplication architecture for

integer-based homomorphic encryption has led to a significant speed-up over the reference software implementation.


JAAN PRIISALU, ESTONIA INFORMATION SYSTEM AUTHORITY Cyber Security in Estonia. Presentation: http://bit.ly/OIqbJG

Estonia is undertaking cyber security but is hampered by, for example, its small population, a lack of people to provide

cyber security, and a failure of automation of government services.

They have researched the architecture choices for government automation and arrived at a chosen system following

existing IT processes. Using IT experts' plans, the cost of the automation would be 30 times the national budget.

Interagency sharing of platforms was suggested to decrease the price. Measuring intergovernmental agency interactions

developed a knowledge of what government is doing, most government work is

in the social and security areas. However, implementing the connection of

national institutes makes citizens afraid of government knowledge of their data.

Therefore a government portal is used to allow citizens to see what data is held

on them.

eID cards have been developed and introduced in Estonia. These have a public

key basis. These are needed as, for example, the passports system is not scalable.

eID card authentication is used for government services and other purposes and

to define the identity of citizens and institutions.

With regard to Estonia's critical infrastructure, there is a need to protect the ecosystem, but the difficulty is where to

concentrate. It was decided not to build separate cyber security systems but to build cyber security within the infrastructure

used to support the critical services. 95% of critical services are dependent on IT, in 30% of cases the dependency is critical,

and in 10% of cases the dependency is highly critical. No alternative exists, if the IT service is down, the critical service is

down. There is a need to focus on critical infrastructure providers and make them understand cyber security, building

communities and collaboration and dialogue between players. CI managers and owners need to talk. Using penetration

tests and adding risk management language on presentation to managers resulted in a budget change for cyber security.

Estonia has learned the lesson from the cyber-attacks of 2001. Government etc. institutions have been made to talk. Cyber

security systems, e.g. encryption, have been introduced in the election system. Systems are being built so that essential

government services will operate even after occupation of Estonia, this serves as a deterrent to invasion. Cyber security is

being injected into citizen requirements, e.g. management of heating bills, as teaching every citizen to be a cyber-security

expert will not scale.

GERHARD ESCHELBECK, SOPHOS Cybercrime: From Kudos to Profit. Presentation: http://bit.ly/Q8N4qz

An increased amount of companies are going public with data breaches. This is not decreasing or stabilising, but actually

increasing. This is due to system complexity, which introduces vulnerability and threats and risks of cyber-attacks. At the

same time, cyber criminals are becoming more sophisticated, there is more funding and

resources, and growing motivation e.g. financial. Cyber-crime is increasingly becoming an

organised effort between various players, at a cost of $8 billion worldwide in 2007 and 2008.

Catching cyber criminals is difficult, even with lots of resources, it is still difficult. Cyber-crime

is a business with advertisement of its services e.g. on YouTube. Part of the issue is that

cyber-crime is an interconnected economy of individuals carrying out crimes, e.g. developers

of attack tools, attack deliverers and buyers, this is global and very difficult for law

enforcement.

One common thing is that all cyber-attacks involve malware, this is at the centre of cyber-

attacks. In the early days, 5 to 6 viruses were seen per month, e.g. the Michelangelo virus 20

years ago which was spread by floppy disk and activated only on Michelangelo's birthday. This was simple to deal with.

Today the situation is highly complex. An increased volume of 250 - 300,000 new malware samples are seen per day. Most


malware is web driven and carried by legitimate websites. Malware is now extremely professional and complicated due to

the increasing financial clout of developers as their success rate increases.

An example of malware used in cyber-attacks includes ransomware, where a person's data is encrypted and they have to

pay to get it back. Ransomware is now using public / private key encryption and social engineering tricks, e.g. illegal data

has been found on your computer which you can pay to deal with. A further example of malware includes POS malware

which attacks POS systems. The malware resides on these systems and steals customer card details. It is present in various

sectors, e.g. in hotels, transport etc.

Everything that has been seen on fixed networks with respect to malware will be / is being transferred to mobile devices,

this is the next frontier for malware attacks. 350,000 Android malware samples have already been collected by SOPHOS.

Hacked devices have the capability of, for example, stealing data.

Crimeware kits, toolkits for cyber criminals, are now available, for example for download from the Internet. For criminal

malware to be successful it is all about traffic. Sites that have a lot of traffic are targeted and used to attack an increased

number of devices e.g. servers.

Cyber security is a global challenge, collaboration is needed between governments etc., and mechanisms for cyber-crime

reporting are required.

MARK CROSBIE, FACEBOOK Protecting a billion identities - Without losing (much) sleep

Facebook has 1.23 billion monthly active users, on this scale, security problems

become magnified and security solutions become useless. In addition, Facebook

operate using open source software and hardware design etc. There is a need to

think about security in a way that responds to threats as they happen. The mission

is to protect Facebook data and, as Facebook use their own systems for business,

to create a sense of ownership of security. As the Facebook culture does not

support barriers, security in Facebook needs to be done by the enablers, the

people who write the code are responsible for its security.

Facebook thinks about security by focussing on the threats, actual not perceived, the conversation is about the reality of a

threat and an appropriate solution. The top Facebook security risks are:

1. Abuse of user data, trust is the most important issue to Facebook

2. Source code deletion / modification

3. Protection of business data

4. Ads platform exploitation

5. Security in relation to employees, these are often targeted by attackers

To deal with these, Facebook disrupts the malware economy by making cyber-crime less valuable, e.g. it offers money to

people who find security vulnerabilities. This changes the security conversation, building trust in Facebook in the security

community. Facebook also makes security training fun. Every October a hacking challenge is run where hacking of other

Facebook employees, data centres etc. is attempted, simulating real world attacks e.g. phishing exercises. Facebook takes

a pragmatic security approach, assessing whether security policies get in the way and matching security controls to the

value of the asset, e.g. there is no point in using SSL to transfer data if you do not protect your computer. Cryptography is

easy but key management hard, so Facebook worries about the latter. The bad guys in cyber security are not obvious, they

try very hard to look legitimate.


MARY AIKEN, ROYAL COLLEGE OF SURGEONS IN IRELAND The CyberPsychology of Cyber Security. Presentation: http://bit.ly/1gc2CUk

Cyberpsychology considers the impact of emerging technology on human

behaviour. The specific area of Forensic Cyberpsychology examines behavioural

evidence, related to crime, manifested in a virtual context. Cyberpsychologists

adopt an inter-disciplinary approach, ranging from the social sciences, to computer

and network science. My research focuses on higher level architectures of criminal

behaviour in cyber domains. Cyberpsychology is a growing field, and Ireland is a

centre of excellence. Exponential growth is expected due to the increased

use/penetration of the Internet, and the profound influence of this technology on humans.

Concerning the psychology of cyberspace, one of the important questions is; are real world psychological theories

applicable in virtual environments, do we need to modify them, or develop new theories? For example, are real world

stalking and cyberstalking the same condition? Is cyberstalking simply facilitated by technology, or is it a new and

differentiated form of criminal behaviour? In the latter, observed differences are as follows; emergence of more female

stalkers, stalking of multiple victims simultaneously, and the ability of the stalker to access more personal data of the victim.

Regarding “state and trait” characteristics in cyber space, anonymity coupled with the “online disinhibition effect” (Suler,

2004) dictates that people may do things in the virtual world that they may not do in the real world. Arguably there is a

need to conceptualise technology in a new way, a need to think about cyberspace as an environment, as a place, as

cyberspace. Furthermore there is a need to consider the impact of this environment on vulnerable populations (such as

developing youth), and criminal and deviant populations. This is required in order to understand modus operandi in this

space. Cyberpsychology can assist in this regard, delivering insight at the human / technology interface.

Key perspectives in cyberpsychology include ‘factoring the human’ into the cyber security debate. This involves the

consideration of person versus user, state and trait characteristics, and investigation of any disconnect between the “real

world self” and the “virtual world self”, along with organisational issues in security. For example, promotion of employees

is often based on knowledge focused on how that person presents in a real world context. The question is how does

leadership manifest in a virtual context? In the case of a major cyber event, how can we be sure that the best people are in

place in a leadership role? We should perhaps consider having two, or indeed dynamic organisational hierarchies, suitable

for real world, and virtual world events. In terms of insight, if we want to understand cyber criminals or sophisticated cyber

operators, we should consider profiling them in a cyber-context. We should examine motive, and primary and secondary

gains e.g. financial profit, emotion (such as revenge), politics/religion (common motivator for cyberterrorists) or “just for

the fun” (this motivation can apply to youth, and others who may hack into networks, share copyrighted music/movies,

deface web sites etc.)

As discussed, a key perspective is to consider cyber space as an immersive, as opposed to transactional entity, to consider

cyberspace as an actual environment. In cyber space it can appear that nobody is in charge, what Suler calls the

‘minimisation and status of authority online’. The challenge for technology is perhaps to create an impression that there is

in fact some accountability for use of technologies, to consider digital deterrent, and digital outreach protocols. There is

also a need perhaps to update and reconsider definitions in a contemporary context, for example what does privacy,

identity or trust mean to a new generation, and are they different constructs to previous generations?

There is a continuing debate regarding the role of Artificial Intelligence, however it’s important to remember that as

psychologists we do not as yet fully understand the workings of the human brain, indeed the very construct of testing of

Intelligence may need to be reassessed in an age of technology. Therefore how can we attempt to replicate something

that we do not fully understand? We need to think in paradigm shifts to tackle these issues; also we need to consider on-

going cyber ethical implications.

Cyberpsychology research vision is focused on understanding new cyber behaviours, and delivering insight. To do this we

need to have a theoretically profound, experimentally rigorous, developmentally longitudinal, and technically sophisticated

research approach, and we should adhere to principles of virtual research methodology.


JINHYUN CHO, KOREA INTERNET & SECURITY AGENCY Cyber Security and Data Protection Challenges in Korea. Presentation: http://bit.ly/1oPcEAH

In Korea there are lots of cyber security and data security challenges. In KISA information

security, Internet promotion, international cooperation and policy research are the 4 main

functions.

In 2013, there were a number of security incidents in Korea. One was an attack on Korean

broadcast stations and banking services. This affected clients, servers and ATMs and

happened in the middle of the working day. A lot of effort was made to discover the malware

distribution path. Improper security management and serious security holes were discovered.

More resources needed to be focussed on security, not merely outsourcing this to vendors.

Security needed to be the job of users, not just security personnel. The attacked institutions

needed to invest more money on security. The attack had occurred on at least one state

broadcast station before, but they did not learn from it. A further cyber-attack resulted in the

defacement of the Korean President's website.

Central government systems are integrated so the DDoS attack resulted in the disruption of interconnected systems. The

discovered attack method was a web hard client program. Not enough attention was paid to the security of such programs

being downloaded by users. Definite determination of who was behind the attack was very difficult, e.g. due to the lack of

legal assistance from countries where malware data comes from. The Government have announced that the attack was

from North Korea. In 2014 various personal information security breaches took place. Entry of personal information is

required to access Korean websites. This includes residential registration numbers, which comprise an individual's birth

date, male / female information, and origin information. Residential registration numbers are used by the Korean

government as an identifier online, but they are also used by cyber criminals. We are now paying the cost of the

convenience of use of residential registration numbers. An employee of a credit rating company was involved in personal

information attacks. There was no security policy / encryption to prevent this. In a mobile service provider personal

information breach, the criminal got information on who needed a new mobile phone and used this to increase the sale of

phones.

The Korean government response included changing the responsibility for dealing with attacks, developing an attack

response strategy, introducing minimum data collection of personal information to protect financial consumers,

establishing new key research and development areas for information security, in 2014 the focus is on wireless, and

developing a cooperative model for research.

BRIAN HONAN, BH CONSULTING Cyber Security: Global Challenges, Local Solutions. Presentation: http://bit.ly/1etqhMc

Ireland plays an important role in the cyber security world. 94% of Irish companies depend on the Internet for their business,

this needs to be secure. Nearly 80% of security breaches are not detected by companies themselves, the difficulty of attacks

is low, using attack tool downloads.

In IRISSCERT a large increase in security incidents is being dealt with. Attackers

are mainly breaking into websites to set up phishing attacks. There has also been

a surge in DDoS attacks, both direct and to use websites in attacks. Most incidents

involve organised crime.

The causes include bad passwords, missing patches, vulnerable platforms for

websites, caused by use of these by web development companies, lack of virus

updating and lack of monitoring attack indication information such as security and

systems logs. There is a need to get back to security basics, why focus on advance attacks etc. when we have not dealt

with the most common attacks? Layered security is needed, putting the most important data behind various protection

layers. Collaboration is required to improve cyber security.


PRECYSE

This special stream at Belfast 2014 brought together PRECYSE research partners, members of the PRECYSE end user group,

Critical Infrastructure stakeholders, and welcomed a number of other attendees from the main summit. The key outcomes

of this event were to engage critical infrastructure operators and stakeholders in an interactive discussion about the project,

progress to date, key technical outcomes, cyber security challenges, and to identify refinements and key research issues

for the remainder of the project.

PROFESSOR EUL GYU IM, HANGYANG UNIVERSITY, SOUTH KOREA Cyber security and critical infrastructure in South Korea

The event opened with a keynote address by Professor Eul Gyu Im of Hangyang University, who

highlighted a significant number of Smart Grid cyber security related research projects in South

Korea. Prof Im’s presentation included an insight into a range of cyber security incidents that the

country had experienced over recent years. International political relations in the region presented a

significant motivation for securing national cyber infrastructure.

His presentation concluded by explaining South Korea’s strategic plans for its future energy

infrastructure, and highlighted that many hundreds of millions of dollars would be invested into

emerging Smart Grid industries and related cyber security technologies in the next 5 years.

PRECYSE WORKSHOPS Progress to date

In the main part of the PRECSYE stream, the focus moved towards a workshop exploring the progress of the project

throughout the first 24 months of research, and the objectives for the remaining 12 months.

The initial session, led by Berthold Haberler of power distribution operator Linz AG, explored how PRECYSE technologies

and methodologies would be tested and validated in two pilot sites, built using expert domain knowledge of end-user

partners, which provide comprehensive and realistic test environments. The two pilot sites are:

1. Energy Demonstrator: Energy management control centre of the region of Linz, Austria, which

provides power supply and related services for 400,000 inhabitants in an area of 2,000 km2.

2. Transport Demonstrator: Traffic control centre in the city of Valencia, Spain, which has a metropolitan

area with more than 1.5 million inhabitants and an average of 500,000 vehicles running every day.

Privacy and information security issues

Jennifer Betts of CSIT then led a discussion on the implications for privacy and information security issues in the storage

and sharing of sensitive and confidential information in Critical Infrastructure, in line with EU Legislation, Directives and

other key principles. She proposed a “Privacy Impact Assessment Model” to be tested in the pilot sites, which will provide

operators a score based on level of compliance measured against best practice guidelines and offers specific

recommendations and actions for improvement.

PRECYSE Framework for Critical Infrastructure cyber security

Leonardo Grassi of Thales, and Nils Ullveit-Moe of the University of Agder, led a deeper investigation into the proposed

PRECYSE Framework for Critical Infrastructure cyber security. The discussion looked at extensive research carried out

during the project to define a Methodology and an Architecture for incrementally improving the cyber security of Industrial

Control Systems (ICS), as well as proposing a test suite for technology validation to be adopted through the remainder of

the project.


From Security Analysis to Remediation

The theme of the final workshop session was “From Security Analysis to Remediation” and was led by Paul Smith of AIT,

Jörg Kippe of Fraunhofer IOSB, and Kieran McLaughlin of CSIT. This session offered a deeper dive into selected tools

developed within PRECYSE that offer significant advances towards securing ICS networks. Highlights included:

• A vulnerability-centric threat analysis for assessing the risk from multi-stage advanced persistent threats

• How to implement the PRECYSE security services framework using open source technologies

• Privacy preserving Intrusion Detection Systems (IDS)

• IDS customised for the IEC 60870-5-104 SCADA protocol used in power distribution

ABOUT PRECYSE PRECYSE is a £4M European Commission FP7 research project investigating “Prevention, protection and reaction to cyber-

attacks to critical infrastructures”. The goal of PRECYSE is to define, develop and validate a methodology, an architecture,

a set of technologies and tools to improve -by design- the security, reliability, and resilience of the Information and

Communication Technology (ICT) systems supporting Critical Infrastructures.

PRECYSE is coordinated by ETRA I+D (Spain) and partners include the Austrian Institute of Technology, AIT (Austria),

Fraunhofer IOSB (Germany), Skytek (Ireland), Thales Italia (Italy), University of Agder (Norway), Ajuntament de Valencia

(Spain), Linz AG (Austria) and the Centre for Secure Information Technologies, CSIT.

Website: http://www.precyse.eu/


TECHSTARS

This stream was delivered in partnership with NISP Connect and Techstars. Two sessions ran that consisted of an invited

talk followed by expert panel discussion, allowing early stage entrepreneurs and businesses looking to accelerate growth

in the cyber security sector to get deep insights from key industry leaders.

Session 1: What differentiates success from failure?

Jon Bradford, MD Techstars UK gave a talk introducing Techstars (the world’s #1 start-up accelerator). He spoke briefly on

his own career enabling and facilitating innovative start-ups and also highlighted the 10 things that repeatedly come up as

reasons for early stage businesses failing. These were:

10. Lack of originality 5. Bad investors

9. Single founder 4. Founders falling out

8. Timing 3. Lack of pragmatism

7. Wrong staff 2. Too small a market

6. Too much/too little funding 1. No customers

Following the talk there was an expert panel session with Jon Bradford & Greg Rogers - Techstars, Elisabetta Zaccaria -

Independent Consultant, Zach Tudor - SRI International, Alex van Someren - Amadeus Ventures and Danny McCaughan -

Kernel Capital. The panel took questions from the 40+ people in the session on issues of building effective teams, bold

realistic aspirations and ways to practically shortcut experience. Open discussion was also held on topics of funding,

working environment and building effective sales/marketing channels.

Session 2: What big problems are waiting to be solved?

Andrew Tyrer from the UK Technology Strategy Board gave a talk on the emerging technology trends in the Digital

Tomorrow. He highlighted the agency’s role in stimulating innovation in the UK and spoke to some of the current and

upcoming funding calls that were relevant to the audience. Reference was also made to Prime Minister David Cameron’s

announcement at CeBIT Germany on 10th March 2014, of an extra £45M funding to be made available to develop Internet

of Things (IoT) technology in the UK.

A follow-up expert panel session was held with Andrew Tyrer - Technology Strategy Board, Martin Borrett - IBM, Jon

Bradford - Techstars, Zach Tudor - SRI International, Elisabetta Zaccaria - Independent Consultant and Danny McCaughan

- Kernel Capital. The panel discussed trends and key areas for innovation and where need is not matched by solutions.

Each panellist was asked if they were to set up a business today what area would that business be in. Anonymous answers:

1. Quantifying security, risk models 4. Cyber Physical System Security

2. Cloud Computing Security 5. IoT security of wearable technology etc.

3. Personal Computing (Next wave, after cloud) 6. Education, online expert on demand etc.

Significant time was spent in the panel session discussing the current market interest and focus on Privacy and Trust,

however, a conclusion from the Session was that business models to monetise Privacy and Trust technology are maybe not

mature enough. It was recognised that even though user appreciation and market demand are not enough to build

significant business at the moment, it certainly will be in the near future.

The Startup Stream held over the 2 sessions with delegates moving in and out of the main summit was reported as a great

success. CSIT will look to encourage the development of this type of innovation space and session at future Summits.


BREAKOUT SESSIONS

SECURE DIGITAL ASSETS Facilitators: Professor Sakir Sezer, CSIT and Brian Honan, BH Consulting

The distributed and networked nature of computing and storing digital assets in the Cloud

requires context-specific security technologies. With pervasive computing, personal

information will be used to optimise Smart Utilities and Smart Cities. Group discussions

started by articulating what defines a digital asset (DA). There are radical differences

between DA’s in the commercial realm and the personal realm. For example, a Warner

Brothers motion picture which is broadcast to audiences worldwide, versus a set of

photographs taken on a phone which are shared with a small group of friends via social networking site. There are major

distinctions between static assets e.g. DOB, National Insurance Number etc., and dynamic assets such as meter readings,

smartphone locations etc.

DA’s are generated by commercial activity for example an end-user can choose to use a GPS modem on their phone but

the moment they do so they are exposing themselves and their location is known more widely. A company may

generate/collect data and may hold IP in how that data is used or processed but the broader question is who owns the

data? Individuals could consciously give away all their data and make it openly accessible on the Internet in encrypted

format. This may reduce key management problems.

Enterprise data management systems which analyse who / where / why data is being used and generate data classifications

and policy rules; could be extended into the personal realm.

Monetizing personal data?

Discussions moved on to the topic of monetizing personal data. Could identities be copyrighted for example and would

this be scalable? How would chains of vendors / syndication of personal DA’s spread throughout the Internet be managed?

Would this require legislation to establish a framework? This could take the form of a centralized personal repository of

DA’s owned by an individual. Vendors would be given access via a token (key) which would determine the policy to be

enforced by the repository. This would empower citizens to actively manage and monetize their personal data assets.

Privacy Protection

Jurisdiction plays a major role in determining the policy and level of protection afforded to DA’s. US law provides little

privacy protection – if an end-user chooses to use a service then that service provider can exploit the data generated. The

end-user effectively signs away their rights by enrolling in the service.

Privacy means different things to different people. For example, Fit-Bit is a life logging service tracking personal mobility,

exercise regime and sleep patterns. Data can be shared with friends and family in a social network context to help motivate

the individual and encourage healthy lifestyles. However, life insurance companies would be delighted to get access to this

class of information. They would create personalized policies with lower premiums for more active subjects.

The intent of the data processor / recipient of the data will determine the extent of the controls we wish to place on our

personal data. Protection of DA’s is context sensitive – we need to define what can be done with DA’s and then implement

different levels of protection depending upon the sensitivity of the material. This could take the form of an International

bill of rights for Digital Subscribers setting out a layered framework for privacy protection:

1. Individual only 3. Employer and/or work related

2. Family and close friends 4. Anonymous – Don’t care


Service providers could be obliged to inform individuals what they are doing with their data. A user agent is needed to

deal with incoming Service Provider reports and automatically flag up issues or violations. That is, a personal privacy

advocate.

Corporate social responsibility does have a place too – businesses should only collect the minimum amount of data needed

on subjects to provide a sufficient service.

Many attendees reflected that it is annoying to be asked to fill in the same personal details on each Website / Internet

service they register on. Could a personal (secure) avatar remove the drudgery and provide stewardship of personal data?

Additional tool support in base operating systems to alert users to tracking and surveillance activity by third parties might

be an answer for less tech savvy users. New fundamental data types e.g. a transient data format that cannot be persisted

to disk might also address privacy concerns.

Data Aggregation

Linkage between data sources is a major concern. If government sources such as tax, VAT, police and justice, medical

records, driving licenses etc., which are all static databases, are linked to commercial and/or dynamic data sources such as

location and banking transactions the result is digital DNA. A complete map of a person’s life.

Credit rating agencies should provide greater transparency for data subjects and proactively inform them of significant

changes.

Do we have sufficient technology to maintain the integrity of DA’s as they are transported, processed and aggregated? Is

there a case for standardized handling procedures in the cloud?

Information assurance is a neglected issue in many organizations. The classification and governance of DA’s is not well

resourced. Strengthened privacy laws could have a positive effect inside enterprises and improve the business case for

better information assurance. True anonymity is not easy to achieve. Given the compute power now available to data

aggregators it is not difficult to personally identify data subjects. The ethical aspects of data aggregation require further

investigation.

The need for Education

Anger was expressed at supermarkets who collect data (via loyalty cards) and share or sell information onto third parties.

Society must enforce privacy since technology will not do it alone. Notwithstanding, it was argued that most people don’t

care. Or more accurately they don’t know that they should care. The general public are not capable of protecting

themselves when operating in cyber space.

Transformational change is needed via education of the general public. People view the Internet as a benign environment

and cannot see malevolent behaviour in cyber space. It may be easier to teach 11 year-old school kids than mature citizens.

We need a green cross code for traversing the internet.

Are data protection and cloud environments compatible? Is there a need for more specific regulation for cloud based

services? Root issues are identity, authentication and establishing trust. “On the internet no one knows you are a dog”.

The right to be forgotten

Request for a service that allows personal data over 5 years-old to be cleansed from all public Internet services. Is this

feasible? An EU court ruling has taken a step towards giving people the "right to be forgotten", forcing Google and other

search engines to remove certain links from search results. We need to consider works of artistic merit – should these be

deleted and made inaccessible to future generations? Note that in the digital world everything is a copy – there are no

originals. One distressing example is of automated LinkedIn work anniversary messages sent on behalf of a friend who had

died several months earlier.


In summary the main outputs from the two secure digital assets breakout sessions are:

What are the top challenges and/or opportunities in this area?

• Who owns our data?

o Commercial versus personal trade-offs

• Can we protect our identity?

o Profiling happening around us

• Privacy is context dependent

o Complicated, generational, cultural

• Is our data safe in the Cloud?

o Effective handling procedures

• Does anyone care?

o Transformational change required in society o Extensive public education

What future technologies are required to take advantage of these opportunities?

• Identity Management Solutions

• International Digital Rights Bill

• Established levels of sensitivity

1. Strictly Personal 2. Close Family 3. Employer / Work Colleagues 4. Friends 5. Don’t Care / Anonymous

• Copyright our Identity

o Monetise our personal data – infrastructure needed

• Personal Data Repository

o Provide authorisation tokens to use/retrieve our data

o Secure Avatar

• Kill switch for specific personal data and the right to be forgotten

o Freedom to remove historic data

What practical steps can be taken collectively by research organisations to deliver this technology?

• Cloud Governance

o LinkedIn messages from dead people

o Inaccurate or malicious data aggregation

o Policy enforcement on Cloud platforms

o A personal cloud?

• Policy Expression

o Ease of use - simplification

o Context Driven

• Visibility into tracking / profiling

o Tool support

o Operating System extensions

• Happy Consumer

o Anonymisation - targeted advertisements

o Deanonymistation – direct impact in physical world


SECURE DIGITAL DEVICES Facilitators: Professor Andrew Martin, University of Oxford and Mathieu Gorge,

VigiTrust

Discussion across both sessions started out by trying to place a limiting boundary on what

digital devices were. General consensus was that smartphones, whilst still insecure, have

such a level of processing power and sophistication that they were largely ruled out of

consideration.

Digital devices were defined as sensors or endpoints which connected wirelessly to mobile devices or some form of base

station for onward transmission of data. The wireless connection technologies such as 3G, LTE, Wi-Fi, Bluetooth, XBee,

WiMax and successor standards will be typically used for communication.

Securing these devices requires not only technical solutions but also legal frameworks, regulatory compliance and

appropriate standards and interoperability frameworks. Research and development are required for on-device, connectivity

and service integration security technologies and solutions.

Current and future digital device security problems articulated by both groups included the potential to attack downstream

devices, services and infrastructure via their attached sensors. Stuxnet was given as a very high profile example. In many

ways this case only serves as a clarion call for those with malicious intent to seriously consider sensors as an additional

attack vector for nefarious activity.

Commodity digital devices

Both groups considered the security implications of two commodity digital devices – a $30 smart TV dongle and a $5 smart

light bulb. Both are assumed to have passive and active capability i.e. they can both receive (Rx) and transmit (Tx) data to

a network attached to the internet. Primary concerns raised were trust, device lifecycle management, supply chain

provenance, and obsolescence.

In relation to trust, how does the typical user believe or be assured that the device is secure and acting in a benign way

when connecting them to a home or trusted network? At such a low price point who pays to provide security updates

should vulnerabilities be found? Finally should and can the components supply chain provenance be proven and should

there be a built in ‘kill switch’ which assumes that the devices simply can’t be trusted after a certain period of time and

should be automatically deprecated in a similar way to software releases.

Interoperability frameworks

In assuming that all the new generation of cheap smart devices cannot be trusted and that many of these sensors might be

repurposed in ways they were never designed for new interoperability frameworks may be required to determine trust

levels at connection. Some are already in existence such as Qualcomm’s AllJoyn for consumer electronics interoperability.

It was noted that consumers and enterprises operate different regimes in terms of device security with the BYOD security

issues being case in point. Smart devices in the home is almost the reverse BYOD problem with enterprises purposefully

placing devices they wish, and need, to trust in an untrusted environment. This could have implications for their own critical

infrastructure broadening the attack surface. Ongoing smart metering projects will produce real world data which may be

translated into other Internet of Things and digital device scenarios.

Education

Finally the groups recognised educational opportunities around teaching citizens to manage their own critical

infrastructure. Participants recognised the need for manufacturers themselves to be involved in this process but not to be

solely responsible.


In summary the main outputs from the two secure digital devices breakout sessions are:

Top challenges and opportunities

• Assume that a $10-20 device is not secure out of the box – less so in 1-2 years or more

• Apps and software can’t be trusted on devices. Hardware with baked in security more so.

• Physical hardware rollouts expensive. Can you trust the supply chain?

• Smartphones are very sophisticated, sensors and IoT not.

• Understanding device behaviours, auto scanning devices on connection to determine trust levels

• Bringing down the power grid by taking over electric devices and turning them all on at once

• Who owns liability for IoT?

Future technologies required

• Open, Soft standards and interoperability framework

• Trusted device standards for search and discovery of security settings

• Useable multi-factor authentication on devices

• Trust zones for a variety of sensors and things

• A Euro NCAP type rating for devices to change buying behaviour

• Services opportunities for security – An independent devices ratings agency?

• DMZ for things in the home?

• Assuming all devices compromised – Need to invest in defence

• Obsoletion by design or new service and end of life models

Practical steps required by research organisations

• What protocols, what are default privacy policies?

• What is the regulatory impact with regards to vendor responsibility over impact of malicious control of devices

• Trustworthy behaviour from untrusted devices

• Lifecycle of a digital device

• Patching strategies for IoT devices in the home

• Automatic rating of devices on the fly as they are connected to home hub

• Security Operations Centre/Network Operations Centre for the home.

• Resilience of these devices to both cyber and natural events.

• To what level can you delegate autonomy back down to devices if central control systems go down?

• Bio inspired resilient cyber-physical systems


SECURE DIGITAL CITIZENS Facilitators: Professor Tony Day, International Energy Research Centre (IERC) and

Mark Crosbie, Facebook Security

The sessions started by clarifying what we meant by a “digital citizen”. After some

discussion, the group agreed that people generally fall into three broad groups: (a) those

who fully embrace the digital world and who willingly engage in a range of different ways,

(b) those who reject the digital world (through fear, ignorance or principle) and do not wish

to engage, and (c) those who have some interest in engaging but are unable to (through lack of knowledge, time or access

to technology). It was agreed by the groups that current policy and strategies (for example around Smart Cities) seem to

make the assumption that everyone is online, or at least able and willing. An interesting discussion followed on the theme

that securing digital citizens is a conversation about social inclusion, as much as technology or policy.

Data ownership

One of the key challenges identified by both the groups was the issue of data ownership, protection, privacy and use. Some

attention was given to the public data initiative in Estonia, where citizens’ data is open for interrogation by those who have

the right privilege. Data relating to health, taxes, property etc. are stored centrally by government and access is granted to

authorised personnel in a controlled and regulated way. The openness displayed by the citizens in allowing their data to

be stored centrally is reciprocated by government in that a citizen is informed of any query relating to their data. This results

in an interesting trust model.

Some discussion was had about the difference between primary data (i.e. data that an individual specifically provides) and

secondary data (i.e. intelligence that can be gained through data analysis or data fusion). Organisations (both commercial

and public-sector) place a significant investment in analysing the primary data to create the intelligence of secondary data,

and logic would suggest that they then have a right to leverage that data to create further value. The question was then

asked whether that right to profit from data should also accrue to the individual who owns the primary data.

Profiting from data

It was recognised by both groups that as well as the question of profiting from data, there is also a significant benefit to be

had for society as a whole from looking at the data on a macro level. For example, if the metadata (or secondary data, or

intelligence) can be used to predict health issues within certain regions or demographics, then that can be leveraged to

benefit the whole of society. While this is a logical conclusion, it was pointed out that if there is a group of people who are

not willing to engage with the digital world, how does the absence of their data affect the overall picture? Would we really

be getting the true picture with accurate trends? Could incorrect conclusions be drawn, with disastrous consequences? Is

there an ethical question surrounding people gaining some benefit from such outputs, while not being willing to contribute

themselves (i.e. free-loading on the digital economy)?

Social inclusion

The social inclusion question was considered again and in particular the issue of education. Many people are simply

unaware of the need to take care of personal data, and the consequences of not doing so. Everyone agreed on the need

for improved education for all sections of the population, and the need for that education to be in an appropriate setting

and using appropriate tools. This reflected on one of the highlights from Mary Aiken’s keynote from the previous day talking

about appropriate education methods and environments. Everyone agreed that further work needs to be done in this area,

including the need for a common understanding of language and the terms we use. It was also pointed out, however, that

these issues are complex, and that an alternative (or additional) approach might be some form of brokerage model. This

would involve engaging with a third party to manage your online identity and data, which would also require a high level

of trust to be placed in that third party, which is an additional challenge.

Finally the groups touched on the issue of data retention, and whether an individual has the right to be ‘forgotten’ or the

choice to be invisible or anonymous on the internet. This conversation then reflected back on some previous topics

including privacy, use and ownership of data, and perfectly illustrated the fact that much of the complexity arising from

these questions is caused by the fact that they are inextricably linked and interdependent.


In summary the main outputs from the two Secure Digital Citizens breakout sessions were:


• How do we define a digital citizen?

o those who can and do opt in

o those who can participate, but don’t want to

o those who want to participate, but can’t (access to technology, time, know-how)

• Freeloading on the digital economy

• Primary versus secondary data

o Ownership

o Control

o Value and monetisation

• Individual versus aggregated data

• Transparency and the Estonian model

• Trust – government and commercial entities

• Education – message and means

• Trusted broker model

• Anonymisation

• Common language or taxonomy

• Data retention and the right to be invisible

Practical steps required by research organisations

• Creation of a common language so that everyone understands the risks and consequences in a simple manner.

• Education in terms, and through media, that people understand and associate with.

• Research study on the comparative benefits of opting in to / opting out of the digital economy.


BLUE SKIES Dr Ulf Lindqvist, SRI International and Raj Samani, Intel Security

By way of introduction to each session the facilitators presented a brief history of

technology trends over recent years, referencing various charts and statistics. This

highlighted that a lot of the technology we use most heavily is in fact not very old. We

looked at the history of the Internet and Web (particularly relevant with the Web’s 25 year

anniversary at the time of discussion). We looked at mobile phone development timeline.

We also referenced some of the future forecasts from the past – commenting ‘we have no flying cars, but we do have

personal communicators’. We looked at the growth of computer power, emerging markets, emerging mobile web use and

the ‘countdown to singularity’. The question was then broached – what does this all mean for Cybersecurity?

Privacy and Trust

Initial group discussion highlighted the importance of Privacy and Trust and the current media focus on this topic. We

considered societal expectations on privacy and also what this will look like in the future, commenting on an increasing

appreciation of the value of personal data. WhatsApp was bought by Facebook for the equivalent of $42/user, which is an

interesting data-point, however there is no doubt that as society moves forward people will be attributing more and more

value to their personal data.

The group discussed expectations of privacy. We considered if this differed across geography, culture, age and status. A

consensus was reached from group discussions that a common expectation was information should only be made available

to those who have been given approval to access it, and an individual should be able to track who has the information.

People should have an understanding of control, access and audit privileges on their information. A good idea would be

to explore the potential for a dashboard where you have transparency of these issues. A Blue-Sky research topic could also

be to explore the opportunity for escrowed privacy services, providing an environment where you can control and manage

access to information, perhaps in the future controlling access to e-discovery of information that is implanted in you. The

focus of research should be to understand where within such environments you have control.

Business Models

We discussed a need to appreciate and understand business models for Privacy and Trust. Analysing data about you is

expensive. How and why will people pay for this to be limited? Do people expect governments to provide assurances?

What segment of the market is willing to pay for security? There was a long debate on Insurance companies and their

potential role in the cybersecurity landscape of the future. A research topic could be to assess technical measures that

would work out your cybersecurity liability, reviewing your risks and setting your premium etc. The group could foresee

Insurance companies providing a paid service of assurance, stipulating you take certain precautions, updating antivirus etc.

and providing cover against cyber risks. In general, the discussions concluded that it is important to determine how much

Privacy and Trust is worth, as then we will be able to understand the opportunity for this type of managed security as a

service. Researchers should also consider the opportunity for tailored trustworthy spaces for various security specific

contexts. For example, the security context for high-value financial transactions is very different from consumption of

multimedia content, but this is currently performed in exactly the same application environment (a web browser).

Data

We spoke of how our data will be shared and what data will be used for in the future. Issues of data analytics, data

economics, how and will our data be used to enable a Virtual Consciousness? - Machine thinking on our behalf, based on

our persona, replicating how we think, using knowledge based on our identity in predictive analytics. Will we have an

autonomous helper? Autonomous agents? This topic of discussion indeed opens up a minefield of issues regarding rules,

regulation, liability, policy and control.

Control

The group raised the question of who should police the cyber world. - An International body, governments, or global

corporations? Also, should we have an Internet Bill of Rights? Control is required, but who should have this right of control?

The group appreciated that governments will continue with surveillance, but in terms of this and others using our data, we


need to understand if we have a right to be forgotten or to opt-out of a digital society. Reference was made to having an

equivalent to the telephone preference system, where you can request to be removed from databases and have restricted

access to your telephone and contact information. What then about law enforcement and cybercrime? – We still have a lot

of unanswered questions in this area. There should be strong efforts in Blue-Sky type research for governance and law

enforcement. This is an area of research that needs much more consideration.

Resilience

In terms of trustworthiness it is imperative that we must have a dependable, resilient and trustworthy Internet. WhatsApp

went down the day after its purchase. 10% of government services don’t have resilience or back-ups. The software systems

are so entangled we will struggle to put in fault governance. Should there be more research into self-healing networks,

graceful degradation, reconfiguring systems that come back up autonomously? We should also consider policy and what

can and should be mandated.

Electronic Currency

The group also touched on Electronic Currency and concluded that rather than deep technical analysis it was more

imperative to engage in significant review and analysis by economists, lawyers and sociologists etc. to then be applied into

a digital economy.

In summary the main outputs from the two Blue-Sky breakout sessions were:


• Privacy and Trust. How do we layer access to data assets and provide context specific data privacy?

• System Resilience. With single points of failure being a major issue, how do we ensure recovery and self-healing?

• How do we see liability changing going forward? What about cyber insurance?

Future technologies required

• We need research into privacy expectations. Technologies that enables new privacy models (multiple personas etc).

A service public or private that can corral all the privacy issues people have - Allowing you to know who has your data

etc. But who should provide this service – who can we trust?

• Research and technology development for self-healing networks and systems.

• A research topic to assess technical measures needed to be able to effectively work out your liability – set your

premium etc. (Be able to mine from the logs how proficient your Internet use is. Perhaps a form of cyber black-box i.e.

equivalent to the automotive black-box premium reducer).

• Researchers should also consider the opportunity for tailored trustworthy spaces for various security specific contexts.


SUMMIT EVOLUTION – WORD CLOUDS

* Excluded words: cyber, security, research and common English words.

BELFAST 2011

BELFAST 2012


BELFAST 2013

BELFAST 2014


www.csit.qub.ac.uk/belfast2014

A GLOBAL INNOVATION HUB FOR CYBER SECURITY

Contact Information ECIT Institute

Queen’s University Belfast,

Northern Ireland Science Park,

Queen’s Road,

Queen’s Island,

Belfast,

BT3 9DT

Tel +44 (0)28 9097 1700

The Centre for Secure Information Technologies (CSIT) is the UK’s Innovation and Knowledge Centre for cyber security technology research and is

based at Queen’s University of Belfast’s ECIT Institute.

CSIT brings together research specialists in data encryption, networking, wireless security and intelligent surveillance who are establishing a global

innovation hub for cyber security. This means that CSIT will accelerate new value creation, drive new venture creation and build capacity for the

cyber security industry. Operating an Open Innovation Model to drive collaboration partners include Altera, BAE Systems, Cisco, IBM, Infosys,

Intel/McAfee, Roke, Thales, numerous SMEs, spin-out ventures and leading institutes in USA, South Korea, India and Europe.

world cyber security technology research summit · pdf filethe fourth world cyber security...

Documents